Linux Format forumsHelp, discussion, magazine feedback and more2011-03-01T15:17:38+00:00http://linuxformat.com/forums/feed.php?t=132422011-03-01T15:17:38+00:002011-03-01T15:17:38+00:00http://linuxformat.com/forums/viewtopic.php?t=13242&p=97362#p97362With a mask of 255.255.0.0 or /16 they are both in the same subnet as are all 192.168.x.x addresses That alone will prevent any routing as you can only route between different subnets.

There is nothing complex about your setup it is standard for an internet facing DMZ and an internal NAT-ed lan.

To make this work you need to change the masks to 192.168.x.x 255.255.255.0 or /24

The firewall will need a default route which would be ip route 0.0.0.0 0.0.0.0 192.168.1.1 assuming you routers address is 192.168.1.1 /24 and you will need to be nating on it,s 192.168.1.x /24 address

If you need to be able to get from the 192.168.1.1 lan to the 192.168.2.1 lan you will need to put a static route pointing at the ip address of the firewall in your router.

The firewalls 192.168.2.x address needs to be the default gateway for the 192.168.2.0 /24 lan and the firewalls default gateway needs to be the routers ethernet port 192.168.1.1 /24

As your ip space is private the firewall is not doing anything useful as the 192.168.0.0 /16 is not publically routable ip space( see rfc1918).

Even if some isp was dumb enough to advertise it into BGP most of the isp's in the world filter it out.Even if they did not there are millions of 192.168.1.0 /24 networks so the cant easly conect.They would need a trojan to connect out and that is a tad difficult in linux but maybe not impossible.

]]>2011-01-26T20:36:08+00:002011-01-26T20:36:08+00:00http://linuxformat.com/forums/viewtopic.php?t=13242&p=96616#p96616Remember, the more complex and difficult to understand a firewall setup is, the more likely it is to work incorrectly.

]]>2011-01-26T20:07:48+00:002011-01-26T20:07:48+00:00http://linuxformat.com/forums/viewtopic.php?t=13242&p=96615#p96615What's wrong with that?. The servers wouldn't be in the dedicated firewall's DMZ. The dedicated firewall's external NIC would be in the ADSL/border router's DMZ. Any other clients in the house(that are other people's would just use the ADSL/border router in the normal way and have nothing to do with my set up).

kimcarsons wrote:Sorry we were talking at cross purposes. I meant a dedicated firewall that is a Linux/BSD box with 3 NICs.One NIC is plugged into the ADSL/border router(and in it's DMZ) the other two NICs are plugged into a LAN and a DMZ.

if you plug your firewall in the DMZ then you are bypassing the DMZ which is illogical, the whole point of the DMZ is to eliminate any possibility of your private network being touched by the interweb. If the machine on the DMZ is accessible from the outside then you can obviously get at it

]]>2011-01-25T18:12:18+00:002011-01-25T18:12:18+00:00http://linuxformat.com/forums/viewtopic.php?t=13242&p=96578#p96578Statistics: Posted by kimcarsons — Tue Jan 25, 2011 6:12 pm
]]>2011-01-25T15:28:40+00:002011-01-25T15:28:40+00:00http://linuxformat.com/forums/viewtopic.php?t=13242&p=96569#p96569Your router sits and the conjunction of three networks: your ISP's, the LAN and the DMZ, so putting a firewall between the router and the DMZ will only protect the DMZ.

As for replacing the ISP's router with something else. That is generally a good idea. Unless they charged you a lot of money for it, it will be the cheapest one they could get hold of.

]]>2011-01-25T14:22:18+00:002011-01-25T14:22:18+00:00http://linuxformat.com/forums/viewtopic.php?t=13242&p=96565#p96565Statistics: Posted by kimcarsons — Tue Jan 25, 2011 2:22 pm
]]>2011-01-25T14:18:05+00:002011-01-25T14:18:05+00:00http://linuxformat.com/forums/viewtopic.php?t=13242&p=96564#p96564Statistics: Posted by kimcarsons — Tue Jan 25, 2011 2:18 pm
]]>2011-01-25T14:09:46+00:002011-01-25T14:09:46+00:00http://linuxformat.com/forums/viewtopic.php?t=13242&p=96563#p96563.So i'm very much hoping that with this and an ADSL modem i'll be able to build whatever network i want at home being as though said router does come preloaded with dd wrt. I just thought i'd check here before i bought it.Thank you for any replies

]]>2011-01-21T21:59:35+00:002011-01-21T21:59:35+00:00http://linuxformat.com/forums/viewtopic.php?t=13242&p=96425#p96425Statistics: Posted by nelz — Fri Jan 21, 2011 9:59 pm
]]>2011-01-21T13:55:05+00:002011-01-21T13:55:05+00:00http://linuxformat.com/forums/viewtopic.php?t=13242&p=96411#p96411Statistics: Posted by kimcarsons — Fri Jan 21, 2011 1:55 pm
]]>2011-01-20T22:30:39+00:002011-01-20T22:30:39+00:00http://linuxformat.com/forums/viewtopic.php?t=13242&p=96400#p96400I'd put a third NIC in the firewall box for the server DMZ and run the firewall on that, using the ADSL modem as just a modem. It will give you far more control over what's going on.

The problem at the moment is that the Linux firewall has to have it's NICs on different subnets( external(ia dhcp from border router on 192.168.1.*) and it's internal on 192.168.2.*). I can, with the current border router, change the subnetmask to 255.255.0.0 so that it doesn't "mind" dealing with addresses on the two different subnets. However i can't add a route to the internal LAN(192.168.2.*).So the border router only knows that the linux firewall is reached at 192.168.1.*. And there's no way, on this border router, to add a route to 192.168.2.*. So i can't ping the border router from my ubuntu hosts on the LAN. I can ping the linux firewall's internal and external interfaces from the ubuntu hosts on the LAN. But i can't ping the border router from the LAN because it doesn't know how to get to 192.168.2.*.I need to replace the border router, which is just a home router, with a machine that has all the usual capabilities of a home router/ADSL box AND the capability to add routes to other subnets. IIt needs firewalling capabilities because plugged into the switch(coming out of the ADSL box), in the diagram, are 2 Ubuntu servers. It would also be good if it could do things like changing the subnet mask. As flexible as possible.I'm willing to spend a fair bit i.e less than 200 pounds. Off the top of your heads is there any router that you could recommend that is good for a fully UNIX network involving different subnets that could replace a home router.Or do i need a router that you can install a special Linux on? And if so are there any recommended?.Thank you so much for your time and any replies. Fare ye well.